June 15, 2004

Phishing an epidemic, Browsers still snoozing

Phishing, the sending of spoof emails to trick you into revealing your browser login passphrase, now seems to be the #1 threat to Internet users. A dubious award, indeed. An article in the New York Times claims that online identity theft caused damages of $5 billion worldwide, while spamming was a mere $3.5 billion [1]. That was last year, and phishing was just a sniffle then. Expect something like 20-30 billion this year in phishing, as now, we're facing an epidemic [2].

That article also mentions that 5-20% of these emails work - the victim clicks through using that nice browser-email feature and enters their hot details into the bogus password harvesting site.

Reported elsewhere today [3]:

"Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year."

"Gartner researcher Avivah Litan blamed online banking for most of the problem."

A recent phishing case in a Texas court gave something like $200 damages per victim [4]. That's a court case - so the figures can have some credibility. The FTC reports an average loss rate of about $5300 per victim for all identity theft [5].

So we are clearly into the many many millions of dollars of damage. It is not out of the question that we are reaching for the billion dollar mark, especially if we add in the associated costs. The FTC reported about $53b of losses last year; while most of identity theft is non-Internet related, it only needs to be 10% of total identity theft to look like the NYT's figure of $5bn, above.

Let's get our skepticisms up front here: I don't believe these figures. Firstly, they are reported quite loosely, with no backing. There is no pretence at academic seriousness. Secondly, they seem to derive from a bunch of vested interest players, such as mi2g.com and AFWG.org (both being peddlers of some sort of solution). Oh, and here's another group [6].

We know that there is a shortage of reliable figures to go on. Having said that, even if the figures are way off, we still have a conclusion:

This is real money, folks!

Wake up time! This is actual fraud, money being taken from real average Internet users, people who download the email programs and browsers and web servers that many of us worked on and used. Forget the hypothetical attacks postulated by Internet security experts a decade or so back. Those attacks were not real, they were a figment of some academic's imagination.

The security model built in to standard browsing is broken. Get over it, guys.

Every year, since 2003, Americans will lose more money than was ever paid out to CAs for those certificates to protect them from MITM [7]. By the end of this year, Americans will have been defrauded - I predict - to the same extent as Verisign's peak in market cap.

The secure browser falls to the MITM three ways that I know of - phishing, click thru syndrome, and substitute CA.

The new (since 2002) phishing attack is a classical MITM that breaches secure browsing. This attack convinces some users to go to an MITM site. It's what happens when a false sense of security goes on to long. The fact that secure browsing falls to the MITM is unfortunate, but what's really sad is that the Internet security community declines to accept the failure of the SSL/CA/secure browsing model.

Until this failure is recognised, there is no hope of moving on: What needs to be done is to realise that the browser is the front line of defence for the user - it's the only agent that knows anything about the user's browsing activity, and it's the only agent that can tell a new spoof site from an old, well-used and thus trusted site.

Internet security people need to wind the clock forward by about a decade and start thinking about how to protect ordinary Internet users from the billions of dollars being taken from their pockets. Or not, as the case may be. But, in the meantime, let's just accept that the browser has a security model worth diddly squat. And start thinking about how to fix it.

A lot of perfectly respectable small businesses are raking in money from
Internet fraud.

From identity theft to bogus stock sales to counterfeit prescription drugs,
crime is rife on the Web. But what has become the Wild West for savvy
cybercriminals has also developed into a major business opportunity for
cybersleuths.

The number of security companies that patrol the shady corners of the
virtual world is small but growing.

"As more and more crime is committed on the Internet, there will be growth
of these services," said Rich Mogull, research director for information
security and risk at Gartner, a technology-market research firm in Stamford,
Connecticut.

ICG, a Princeton, New Jersey, company founded in 1997, has grown to 35
employees and projected revenue of $7 million this year from eight employees
and $1.5 million in revenue just four years ago, said Michael Allison, its
founder and chief executive.

ICG, which is licensed as a private investigator in New Jersey, tracks down
online troublemakers for major corporations around the world, targeting
spammers and disgruntled former employees as well as scam artists, using
both technology and more traditional cat-and-mouse tactics.

"It's exciting getting into the hunt," said Allison, a 45-year-old British
expatriate. "You never know what you're going to find. And when you identify
and finally catch someone, it's a real rush."

According to Mi2g, a computer security firm, online identity theft last year
cost businesses and consumers more than $5 billion worldwide, while spamming
drained $3.5 billion from corporate coffers. And those numbers are climbing,
experts say.

"The Internet was never designed to be secure," said Alan Brill, senior
managing director at Kroll Ontrack, a technology services provider that was
set up in 1985 by Kroll Associates, an international security company based
in New York. "There are no guarantees."

Kroll has seven crime laboratories around the world and is opening two more
in the United States because of the growing demand for such work.

ICG clients, many of whom Allison will not identify because of privacy
agreements, include pharmaceutical companies, lawyers, financial
institutions, Internet service providers, digital entertainment groups and
telecommunication giants.

One of the few cases that ICG can talk about is a spamming problem that
happened a few years ago at Ericsson, the Swedish telecommunications
company. Hundreds of thousands of e-mail messages promoting a telephone-sex
service inundated its servers hourly, crippling the system.

"They kept trying to filter it out," said Jeffrey Bedser, ICG chief
operating officer. "But the spam kept on morphing and getting around the
filter."

Bedser and his team plugged the spam message into search engines and located
other places on the Web where it appeared. Some e-mail addresses turned up,
which led to a defunct e-fax Web site. And that Web site had in its registry
the name of the spammer, who turned out to be a middle-aged man living in
the Georgetown section of Washington.

Several weeks later, the man was sued. He ultimately agreed to a $100,000
civil settlement, though he didn't go away, Bedser said.

"The guy sent me an e-mail that said, 'I know who you are and where you
are,'" Bedser recalled. "He also signed me up for all kinds of spam and I
ended up getting flooded with e-mail for sex and drugs for the next year."

Allison says ICG's detective work is, for the most part, unglamorous,
involving mostly sitting in front of computers and "looking for ones and
zeros." Still, there are some private-eye moments. Computer forensic work,
for instance, takes investigators to corporate offices all over America,
sometimes in the dead of night.

Searching through the hard drives of suspects - always with a company lawyer
or executive present - the investigators hunt for "vampire data," or old
e-mails and documents that the computer users thought they had deleted long
ago.

In some cases, investigators have to be a little bit sneaky themselves.
Once, an ICG staffer befriended a suspect in a "pump-and-dump" scheme - in
which swindlers heavily promote a little-known stock to get the price up,
then sell their holdings at artificially high prices - by chatting with him
electronically on a chess Web site.

The Internet boom almost guarantees an unending supply of cybercriminals.
"They're like mushrooms," Allison said.

Right now, the most crowded fields of criminal activity are the digital
theft of music and movies, illegal prescription-drug sales and "phishers,"
identity thieves who pose as representatives of financial institutions and
send out fake e-mails to people asking for their account information. The
Anti-Phishing Working Group, an industry association, estimates that 5
percent to 20 percent of recipients respond to these phony e-mails.

In 2003, 215,000 cases of identity theft were reported to the Federal Trade
Commission, an increase of 33 percent from the year before.

This bad news for consumers is a growth opportunity for ICG. "The bad guys
will always be out there," Allison said. "But we're getting better and
better. And we're catching up quickly."

Many corporation have responded by shutting down access to simple information that might be used to reveal the true identity and thereby hope to avoid a phishing attack on their online client base. By protecting their Internic Whois Information they are removing a database that the browser might be able to use to verify the entity sending the webpage or for that matter the email that invites the attack.

So the response has been one of shuttering the information and making it hard for those that wish to steal a method to fabricate the identity; that response is more typical of an ostrich and begs for the complete opposite, an open more revealing means for their valued clients to verify their identity. This can of course be done with any number of features one mentioned, is the browser being altered.

But what if it is as simple as all communications for this company with its online clients use a particular IP address rather than the alpha .com or whatever. Since these numbers can be unique why not simply use them as that?